The Tor Project is working to remedy a vulnerability in its anonymity software following the sudden cancellation of a talk at next month’s Black Hat security conference in Las Vegas that would have revealed it.
The planned talk, entitled “You Don’t Have to be the NSA to Break Tor: Deanonymizing Users on a Budget,” would have demonstrated a way to unmask users of Tor, the privacy-minded Web browsing software. Alexander Volynkin, a researcher with the Computer Emergency Response Team at Carnegie Mellon University’s Software Engineering Institute, was to deliver the briefing.
“We were notified by the legal counsel for SEI and CMU that Alexander Volynkin would not be able to speak at Black Hat USA 2014 due to some issues with the work not being approved,” Meredith Corley, a spokesperson for the Black Hat conference, told TechNewsWorld. “We complied with the legal request and removed the Briefing from our schedule.”
‘We Have Questions’
“We’re still working with CERT to do a coordinated disclosure of the details (hopefully this week),” wrote Roger Dingledine, a project leader, director and researcher for The Tor Project, in a Monday blog post in response to news of the cancellation.
In the meantime, “we did not ask Black Hat or CERT to cancel the talk,” Dingledine noted. “We did (and still do) have questions for the presenter and for CERT about some aspects of the research, but we had no idea the talk would be pulled before the announcement was made.”
Tor has been “informally shown some materials” about the exploit, but “we never received slides or any description of what would be presented in the talk itself beyond what was available on the Black Hat Web page,” he added.
‘We Think We Know What They Did’
Since the talk was canceled, The Tor Project believes it has figured out the details of the problem itself, Dingledine wrote in a subsequent message sent Monday to the Tor public mailing list.
“I think I have a handle on what they did, and how to fix it,” he said. “We’ve been trying to find delicate ways to explain that we think we know what they did, but also it sure would have been smoother if they’d opted to tell us everything.”
In general, “we encourage research on the Tor network along with responsible disclosure of all new and interesting attacks,” Dingledine wrote. “Researchers who have told us about bugs in the past have found us pretty helpful in fixing issues, and generally positive to work with.”
For now, The Tor Project is working on a fix for the bug it identified.
“The bug is a nice bug, but it isn’t the end of the world,” Dingledine concluded. “And of course these things are never as simple as ‘close that one bug and you’re 100% safe.'”
Both The Tor Project and Carnegie Mellon declined to provide further details.
‘It Brings Up Privacy Concerns’
While Black Hat’s announcement of the cancellation makes it clear that at least some of the content in the talk hadn’t been signed off upon, it’s “difficult to say what the legal concerns were,” Sean Kane, a partner in the interactive entertainment group at Frankfurt Kurnit Klein + Selz, told TechNewsWorld.
Nevertheless, “I can see this from the perspective of Carnegie Mellon’s counsel,” Kane said. “Even taking away the fact that they may not have approved this in advance, it brings up privacy concerns.”
Such issues are “a hot button today for individuals, regulators and lawyers,” Kane added. “It’s not surprising it raised some red flags.”
Other possible concerns could include how the exploit interacts with the software running the Tor network, as well as the possibility that bodies such as the Justice Department “may not want it to be easy to discover,” he pointed out.
In any case, “this is one of those things where, for the purposes of counsel, it’s always easier to say ‘no’ and take the time later to decide whether that’s the right decision,” Kane concluded.
‘Analyzing Traffic Without Approval’
“My guess is the researchers performed their research by setting up a real Tor exit node and looking at the traffic coming out of it, as opposed to simulating an exit node and creating their own traffic to analyze,” Jeremy Gillula, a staff technologist with the Electronic Frontier Foundation, told TechNewsWorld.
“They may not have gotten the appropriate IRB approval before doing this,” Gillula added, “and CMU’s legal team may also be concerned that sniffing traffic coming out of a Tor exit node may violate wiretap laws, since technically doing so involves analyzing people’s Internet traffic without their approval.”